Security Operations Fundamentals > [T2]: Lab - Microsoft Sentinel SIEM - How to query stored logs
How to query stored logs
One of your essential
tasks as an analyst is to query data to get insights and
information about what happened. To query events, Microsoft
Sentinel uses a query language called "Kusto Query Language
(KQL)."
From Sentinel main page, go to "Logs".
Figure - zoom in
Logs are stored in the "Log Analytics workspace" previously
created. These logs are organized as tables. Windows events
are stored in a table called
"SecurityEvent."
To explore the events stored in these tables and order them
in chronological order type:
SecurityEvent
| order by
TimeGenerated
Figure - zoom in
Now, find the count of events by executing the following
query:
SecurityEvent
| count
Figure - zoom in
Try to select randomly only ten events:
SecurityEvent
| limit 10
Figure - zoom in
Use project function to view only
Computer and
Account columns:
SecurityEvent
| project Computer,
Account
Figure - zoom in
Project all columns except the Computer
column:
SecurityEvent
| project-away
Computer
Figure - zoom in
Now, find the number of events of every
EventID:
SecurityEvent
| summarize
count() by
EventID
Figure - zoom in
To illustrate the data, you can render the result as graphs.
An example of a bar chart can happen through execution:
SecurityEvent
| summarize
count() by EventID
| extend
EventID = tostring(EventID)
| render
barchart
Figure - zoom in
Do the same, but this time, draw a pie chart:
SecurityEvent
| summarize
count() by
EventID
| extend EventID =
tostring(EventID)
| render piechart
Figure - zoom in
Additional reading: